Maryman- Digital Forensic Services

National Retail Chain Point-of-Sale Breach

CASE STUDY

Point-of-Sale Breach at a Major National Retail Chain

Tags
Credit card theft, point-of-sale, retail, breach, compromise, incident response, computer forensics, digital forensics, incident management, forensics expert
Retail Point of Sale (POS) Breach

Background

The CIO of a national retail chain contacted their attorney, who requested that Maryman assist with an investigation. The company was alerted by their internet service provider (ISP) that several of their systems were sending spam emails. The company’s internal review determined that all the identified systems were retail point-of-sale (POS) systems. Sending emails was not a part of the retail POS system roles, and Maryman was asked to investigate the root cause of the spam emails.

Scope

The Maryman team was asked to forensically preserve the retail POS systems and determine if the spam emails truly originated from these systems, and if there were any other issues with the retail POS systems.

Preservation

The Maryman team went onsite to each of the locations to determine the exact type of system that was running the POS system. Luckily, the systems were all commercial off-the-shelf (COTS) parts that were configured together to run the POS software on a Windows platform. The systems were managed by the POS vendor, including antivirus, anti-malware, host firewall, and updates.

Due to the sensitivity of the environment and the nature of the information, the Maryman team also collected an extended period of network logs to aid in the investigation.

Analysis and Findings

The analysis quickly determined that there was a systemic problem that went beyond just spam email. Over a dozen unique pieces of malware were discovered, ranging from backdoor capability, credit card skimming, spam relays, and full rootkits. Further, there were indications that network traffic was destined to many countries in Eastern Europe, the Middle East, Africa, and Asia.

The POS vendor, per their contract, was supposed to be patching and maintaining the retailer’s systems. However, the Maryman team found that the latest update was run 18 months prior and the most recent malware definitions were retrieved 24 months prior. When confronted, the vendor replied, “Any system updates could have caused problems with the POS software, so we decided not to install the updates.”

Additionally, in testing, it was discovered that the anti-malware software chosen by the POS vendor was subpar. Even with the most recent definitions, the anti-malware software would not have detected half of the malware discovered by the Maryman team on the infected systems.

Next Steps

The Maryman team performed additional testing and determined that bringing the systems up-to-date and installing enterprise-level cybersecurity software, including heuristic-based anti-malware and endpoint detection and response (EDR) had no impact on the POS software. The Maryman team, working collaboratively with the company’s internal IT and cybersecurity teams, were able to contain the infection, remediate the infected systems, determine the full scope of the compromised credit card numbers, produced a list of the persons affected by the breach and assist counsel with the appropriate reporting.

Outcomes

The Maryman team has extensive experience in credit card breaches and were able to leverage that expertise to assist the retail company in not only determining the extent of the breach but also improve the company’s cybersecurity infrastructure despite incorrect information from a third-party security vendor.

Our Mission

To provide our clients with solutions that are conducted with complete confidentiality and proven expertise, replacing questions and liabilities with answers and value. To be responsive to the unique and individual needs of our clients and consistently deliver quality professional services at reasonable costs.

Request a
Consultation Today

818-290-3775

Maryman- Digital Forensic Services
© Copyright 2001 – 2023. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved.
Maryman- Digital Forensic Services

Founded in 2001, Maryman is a professional services firm with 100+ years of experience in digital forensics, specializing in the  full range of investigative and litigation support for cyber matters. Headquartered in Los Angeles, we serve our clients nationwide with local response and global reach across all continents.

Our Services

Digital Forensics Incident Response (DFIR)

Cyber Investigations

Electronic Discovery (e-Discovery)

Expert Witness Testimony Services

Email Forensics (Device & Cloud Accounts)

Mobile (Cell Phone) Forensics

Contacts

joe.greenfield@maryman.com
818-290-3775
  • 16000 Ventura Blvd. Suite 1204 Encino, CA 91436
  • *Office visits are by appointment only
© Copyright 2001 – 2024. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved. Developed by TLG Marketing
Scroll to Top